Poisoning attacks can disproportionately influence model behaviour by making small changes to the training corpus. While defences against specific poisoning attacks do exist, they in general do not provide any guarantees, leaving them potentially countered by novel attacks. In contrast, by examining worst-case behaviours Certified Defences make it possible to provide guarantees of the robustness of a sample against adversarial attacks modifying a finite number of training samples, known as pointwise certification. We achieve this by exploiting both Differential Privacy and the Sampled Gaussian Mechanism to ensure the invariance of prediction for each testing instance against finite numbers of poisoned examples. In doing so, our model provides guarantees of adversarial robustness that are more than twice as large as those provided by prior certifications.

翻译：投毒攻击通过对训练语料库进行微小改动，能够不成比例地影响模型行为。尽管针对特定投毒攻击的防御方法确实存在，但它们通常无法提供任何保证，从而可能被新型攻击所规避。相比之下，通过考察最坏情况行为，认证防御能够针对修改有限数量训练样本的对抗性攻击，为样本的鲁棒性提供保证，这种认证被称为逐点认证。我们通过结合差分隐私和采样高斯机制来实现这一点，以确保每个测试实例在面对有限数量的投毒样本时，其预测结果具有不变性。通过这种方法，我们的模型提供的对抗鲁棒性保证，其规模是先前认证方法所提供保证的两倍以上。